Elevate masterclass: Protecting your business against online threats.
[Music] hello everyone and welcome my name is amir navette i'm the security awareness and communications manager at booking.com and today i'm happy to be joined by two of our security directors baltina bonzi and ben carroll hey amir it's great to be here thanks for having us thanks both and uh today's conversation we'll be discussing cyber security recipes for success and how together we can ensure our partners customers and business is safe and secure so jumping right off uh i'd really love to hear more about you and uh would love to know how you would describe your job to a complete stranger on the street so let's start with valentina and then move to bed sure what i would say is that i protect the data that partner and customers share with booking.com from online criminals yeah and on my side uh i see it as a challenging game of cat and mouth or a trust and safety protector i love that and uh even more to that uh how do you think your family would describe the job that you do today i would think that they say that i sit in calls all day and uh kind of get annoyed when they try to jump into the camera view yeah and i think on my side i don't think they really know what i do security is often seen as a bit of a black box uh so what i find useful is always to relate it to more physical security so thinking of an airport and the different controls from from check-in and customs right through to a valid boarding pass before you get onto the plane that's awesome and when we move in a little deeper uh i'd love to hear more about what the defining career moment was for both of you in your jobs today and valentino why don't you uh start us off sure for me it was how i landed in security was the moment when i was asked to join the security team to help it scale it and use my expertise in working with other engineering teams at booking and also my uh extensive time of booking uh to use my network for for that uh it was quite a defining moment because it also meant that for booking we were ready to invest a lot more in security because the company was growing so much it was becoming much more much more of a target yeah and for me uh it all started back in 2014 there was definitely an increase in cyber security threats that we were seeing targeting hospitality and booking.com decided to make uh some significant investments around uh detection prevention and also response right uh so at the time i applied for the the lead role of our security and fraud operations and and that's where my journey started fantastic i think now uh we can learn a lot more we've learned a lot more about you and let's jump right on in so in our first section uh we want to really focus on cyber security crime and so it's safe to say with your experience you're very well aware of how those cyber criminals operate and when we think about the coronavirus pandemic how would you say chronovirus has impacted their ways of working in a few ways actually right so we see a shift to remote work uh which also means different uh channels that they can use to to actually exploit technology or people um and then on a different front we also see a lot more unemployment rate unfortunately which means a higher number of people that can be employed by criminals right to to to follow their their needs um and then uh in addition to that on the receiving end people are in general more scared more you know fearful of what's going on so they're definitely more willing to listen when you mention something related to kovit right so shifting this uh technique to exploit this fear and also using material that is much more related to the current pandemic has been quite quite a trend yeah absolutely uh thanks for that valentina it is really unfortunate that criminals are capitalizing on the pandemic but i heard some really clear points there about the security threats and how we need to be aware of all of them and when we continue to think about this from the partner perspective what would be looking out for and i'll hand this off to you bountina sure the two main threats remain fishing and social engineering just to explain a bit more what these two terms mean fishing is usually an email you would get with a link to a website that turns out to be malicious but from the look of it it doesn't look malicious and usually the site would ask for credential information your login your password or see on a similar note social engineering is usually performed by phone uh and somebody would just call you up to ask exactly the same information right to gain uh yeah to basically gain uh insight into what are the logging credentials you have or whatever information that is considered sensitive um so this well this remain uh the threats that we've observed in the past as well uh what we also see is that there wasn't a decrease in these threats right so we definitely didn't see the decrees that went with decreasing transaction decreasing in people traveling so this stress remained as high as as ever um and then uh to give an example of what i said before a fraudster exploiting the crisis they tend to use maybe covenanting themed email phishing campaigns where people are more willing to uh they see the urgency right off of that topic so they're more willing to respond basically to what they receive yeah some really good points there valentina and actually just thinking in terms of some tips and hints to really help stay safe i guess against phishing and social engineering attacks uh you know what what can our partners do uh firstly always check the sender name and email address and always you know just do those checks to make sure it's genuine i think valentina sort of touched on the urgency topic and we need to be really careful if you receive something that's highly urgent always just take that step back and reflect especially if it's asking for personal details credit card information uh or in some cases even account passwords uh you know where you're expecting this email what is the tone of the email also incorrect spelling is a key giveaway so always look out for some incorrect spelling uh within within those emails and always hover over the link it's really easy to do you just sort of drag the mouse and make sure that the link is from the sender as i said before but never click on it and then finally always report via the partner hub for booking.com yeah thank you both i think it's really quite interesting valentina as you said that we would expect it to go down the the social engineering and phishing attacks but they actually haven't and uh ben on your side those tips are incredibly helpful to spot the warning signs for anybody who could be a target and when we continue on this thought are there any other examples we can think of as far as threats and um laying that out for any viewers today valentina any thoughts on that yeah i think in general across the the e-commerce industry what has been seen is that scammers tend to use um kovit as a way to uh inflict urgency on people like to make them actually uh respond uh to what they're trying to to to get um and an example of that would be a call from a pretend booking employee saying that they need uh to give the partner an update on covenanting like something urgent that might impact the property they might have to close or something like that but before doing so they ask for login details of the property right yeah and i guess keeping up to date uh valentina with the current risks and just making sure that you've got the right uh security uh controls in in place to protect ourselves i think also uh what we've seen particularly over the last 12 to 18 months is more sophisticated attacks targeting different segments of travel uh with ransomware and also malware from transports and logistics cruise companies and and many others and so these type of attacks really take advantage of the weaknesses in security controls or even taking advantage of employees and their lack of awareness around security risks and so then they accidentally download malicious malware onto their computers and so with these type of attacks there's very much major disruption to business operations we've seen companies that were offline for hours even days not to mention the unauthorized access to customer and company data so circling back i think it's best to assess the risk make the right investments into security keep updated of course on emerging risks and just ensure that there's a regular security awareness and for both your employees and your customers absolutely uh that was all incredible information uh really useful and i think the practical examples also add a lot of weight as well and in this next section it's really important that we also look at things from the partners perspective and in the partnership so i'd love if you could tell us a little bit more about who cyber criminals actually target and why and let's start with valentina to get your thoughts on this yeah yeah so basically one thing that we see is that a quite common target would be somebody that is used to taking a lot of calls maybe a lot of them like in a sequence right so it would go through them uh quite often in their day and then also they're very customer focused right so they would uh always have the mindset of trying to solve the problem of the person on the other side um another angle may be targeting employees who actually work the night shifts and so they work where they are more usually alone uh and and therefore they are less likely to be able to check with somebody else whether this is a legitimate request or not thanks valentina that's some really great points i think it's important we also touch on the point of urgency in this conversation ben is there anything else you'd like to add for us yeah look thanks amir uh as i touched on before uh cyber cyber criminals also target employees that hence handle sensitive data as well as executives right so for example with uh spearfishing attacks they target high value individuals that have access to systems or specific data that could be your accounts payable staff reservation or even front desk check-in staff so also while not specific to the hospitality industry we also see whaling attacks and so they're really sophisticated attacks that really target that ceo or c-suite level right and with that they really build trust and credibility through a whole range of different tactics and to valentina's point earlier you'll then receive naturally a very urgent request for a funds transfer uh due to a merger or acquisition or something of that effect uh and also booking.com so from time to
time we do see social engineering attempts targeting our hotel partners and their employees and the main purpose of that is to access systems uh that have customer data and also payment card information but they do this naturally to steal payment card information or even use the reservation data to scam customers at the end of the day so already always remember those sort of red flags that we've discussed before and watch out where there's a level of urgency around a request thanks ben uh this was all really valuable to you know understand the different levels of which security can be uh targeted and how we can help prevent it and you both have spoken a lot about how partners should react to these situations and i'm curious now whether there's anything partners can proactively do to help prevent them valentino why don't you uh start us off yeah i can start so first of all let's uh focus on the fact that part the attackers would mostly be looking at to get access to credit cards or to other sensitive information about the guests right so the first thing to remind yourself is to keep the credit cards as secure as you possibly can so don't print them don't share them with anyone um and if you can enroll in payments by booking so that you don't even get to to see the credit cards and the payment is handled securely for you by by us um the second point uh is what ben already touched on like make sure your login credentials are kept safe uh what i mean with this is that uh mostly what part what the attackers would try to do is to get access to your login and password sometimes asking you to do so remember that booking.com will never ask you for your login and password so there is no legitimate reason why you should be sharing it uh but in addition to that you also have a two-factor authentication um and for that to be as secure as possible you need to make sure that only authorized devices are actually in the list of devices who can get the second factor so the the pin um and also remember to remove a device when you change your phone and perhaps use the pulse app as a second factor that's also a good way to to keep safe um still related to accounts it's important as much as you don't share those accounts with a you know a stranger you shouldn't also share it within your employee base so make sure everyone has their own individual account this is important because then you can tweak what each employee can actually see so not everybody gets to see everything but you know only things that are related to what they actually need to do their job um and the last point is also make sure you inform yourself about the new trends in security in the partner hub yeah thank you so much i think all of that really touches on a number of really important points for partners to consider and moving into our next section uh we want to think about that it might be safe to assume that booking really has a big role in this uh would that be safe to say yeah definitely right for us trust is at the key uh is a key thing that we provide right it's at the heart of our platform uh there wouldn't be a platform if we couldn't provide this trustworthy relationship between ourselves the partners and the customers i would completely agree trust is really at the core and heart of our uh our mission here and uh on that point how do we uh speak more to how booking is investing and protecting not only our customers but also our partners uh valentino why don't you shed some more light here for us yeah so we have a team of dedicated professionals right who are skilled in different fields and then every day monitor what's going on and try to detect suspicious behavior fraud and this kind of things like specifically we do um we have always on monitoring through automated tooling to machine learning algorithms that check for suspicious activity we also enforce strict authentication rules that's why partners have to perform two-factor authentication to access their details on the booking.com systems and then we also do monitoring of the payments that we take through our platform right so whatever uh transaction happens gets uh checked for different data points to see if it could be a suspicious transaction um and then of course like we also have an open channel with our partners but we uh very much encourage you to report uh through reporterbooking.com for anything suspicious you might see that's all really useful thank you so much uh valentina from a fraud perspective is there any more insight you could provide for us ben yeah definitely thanks samir and definitely uh looking at the agency model uh in terms of that platform and fraud monitoring that we we have in place we do take uh many precautions there's dedicated teams uh to to protect you uh from fraud and the availability and naturally the cost of of chargebacks but what can partners do also to help themselves um and protect themselves here we recommend taking a temporary zero dollar authorization on the payment card to confirm that it's valid if the card is invalid then request a new payment method through the the extra mark so that's a key opportunity uh to get a different payment method uh beyond that if you are receiving a significant volume of bookings and you do suspect them to be fraudulent then work with us contactbooking.com and we'll look at
what additional prevention methods we can put in place and then finally always engage with your payment service provider because there's also additional fraud screening that they may be able to provide for cardinal present transactions thanks so much i think it's really good that we get both sides of the coin there and uh those all sound real uh like really important points for partner security to take into account so next uh thinking even further when it comes to customers is there anything booking is doing to help safeguard them and uh to get this rolling let's hand off to valentina yeah so on the customer side we have to make sure that customers feel they're safe and secure their investment is is not at risk right when they make a booking on our site to do this uh we try to do a few things so first of all we make sure that the information displayed on our site is accurate right so that they know exactly what to expect when they show up at the property um and then we process the payments in a secure and compliant way so that they know that this is uh that their payment uh method is safe um and then what we also do for society at large i would say and the industry is that we have to follow basically local regulations right and international regulations the most important ones maybe are gdpr and pci data security standards that we have to abide by in addition to this we also do like third-party assessments of our security controls by an independent party to make sure that we are always up-to-date and we are always implementing the latest recommendations valentina thanks i think that was all really useful information not just about partner support but also about how we protect our customers as well then i'd love to hear a little bit more from you around practical examples of how we safeguard and support our customers uh take it away yeah great thanks amir and let's walk through i think some of the more practical ways that we're safeguarding our customers here at booking.com we offer two-factor authentication on customer accounts so that adds an additional layer of security to protect their information we also offer 24 7 security reporting channels for any suspicious calls emails or even activity on an account we have the trust and safety resource centre which has tips and hints to protect and support both their partners and also our customers and then finally we have a dedicated customer service team operating 24 7 in over 40 languages all around the world fantastic that all sounds like there's a lot of investment here so even more to that i know our global partners really look to bookings to help them stay ahead and given both of your knowledge and expertise do you see any major long-term impacts on cyber security as a result of the pandemic today yeah i would like to speak about two different angles so one is uh we do see a trend of more people uh working remotely for the long for the long term right so in that sense i think investing in better and secure wi-fi would be a good investment because more uh customers will probably stay on your property to also work from there not only for uh vacation and then the other angle is prepare your employees also to work from anywhere right the difference is of course they need to have their technology up to date making sure their antivirus software is uh upgraded uh in all of these things but also um they need to be more trained on uh what social engineering tax tactics or phishing attempts they might receive because being remote also means that we don't have any colleague to check in with uh to make sure that what they're being requested to do is legitimate great thank you valentine those are really great to be able to uh get some insight not only on guests but also on employees as well ben is there any uh more insight you could shed light on here yeah sure uh look not as cyber security focus but i think what we've seen through the the pandemic as we work together towards recovery we must take time to sort of reflect on how much the hospitality industry has been impacted and how customer travel expectations have evolved so as an industry we need to continue to explore how we come together and focus on a broader range of security health and safety measures to build customer trust tackle the cyber security risks we see and provide an even safer travel experience for our customers and partners yeah certainly all those really work together i think to contribute to trust and um really insightful points for both of you thanks and moving on to our next section uh i'd love to you know it's important to always think about not always what will change but what won't change the fundamentals and the the the pillars and the essentials so can you help our partners with any insights on this valentina um i'll pass this off to you to begin yeah sure um so what one change is that the target the data points that the attackers are still after are still the same right so they would be looking at getting credit cards or information about the customers um so it's quite important that you keep uh those details safe um the attacks ways are still going to be the same so getting to your login credentials is still going to be quite uh a key way in which attackers will get access to your information so make sure you use two-factor authentication properly and you check which devices have access to it um same for using individual accounts as i said before and not sharing the credentials for those accounts with anyone um and in general just keep reporting to reporterbooking.com anything you see that might be suspicious right so when you see something just say something it's very important that we work together on this fantastic i think those points are all really uh cohesive not a really good summary of a lot of what we covered today and so to close out our session and give partners uh a chance to hear some words of wisdom are there any closing remarks you'd love to share uh with our partners today listening yeah maybe i can start i think in my view right uh because trust is so key to the to the platform that we manage but it's also so key to the ecosystem we have to keep working together with our partners to make sure this trust uh is kept in the whole journey for for all parties involved yeah absolutely yeah look uh i think following on from that for me trust and safety is core and and so if we sort of take that away uh today that that's really important as is we're in this together right and i spoke to that before as an industry we need to come together and really look at how we we better protect our customers and their information and then finally report anything suspicious we're here available to help 24 7. so if you get that strange call the weird email comes through or that sense of urgency make sure uh to get in contact with us uh great thank you both valentina and ben so much for joining me today and sharing all of your expert insights for more information about how booking.com protects your cyber security head to partner.booking.com and check
out our cybersecurity page under the solutions tab